https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/local-analysis-malware-and-wildfire-malware-alerts/m-p/1251874#M9242 <P>What&nbsp;susekar avoided to respond to is why <SPAN>Local Analysis Module is suddenly flagging these executables on its own when WildFire is out of reach and why hasn't Palo Alto adjusted its machine learning to tackle this issue.&nbsp;</SPAN></P> Wed, 08 Apr 2026 14:58:10 GMT rufat87 2026-04-08T14:58:10Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/local-analysis-malware-and-wildfire-malware-alerts/m-p/1246743#M9056 <P>Can someone explain the Local Analysis Malware and WildFire Malware alerts. The WildFire alerts seem straightforward for a file that it deems malware. On the other hand, the local analysis malware alerts trigger for a bunch of files but in the alert it has a wildfire report and verdict that says benign.&nbsp;<BR />Moving into suppressing these alerts, the module in the alert is listed as Local File Analysis and Wildfire. When adding the file to an exception, neither of those are a module choice to whitelist from. Under the assumption it was scanning based on the alert, I have tried adding it to the endpoint scanning and the PE and DLL examination modules but the alerts still trigger. Any help or explanation would be appreciated!</P> Tue, 27 Jan 2026 16:36:20 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/local-analysis-malware-and-wildfire-malware-alerts/m-p/1246743#M9056 clairamore 2026-01-27T16:36:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/local-analysis-malware-and-wildfire-malware-alerts/m-p/1246865#M9061 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1656590803">@clairamore</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P>Are you referring to the Local Analysis detections for the Microsoft binary <EM data-start="211" data-end="238">StoreDesktopExtension.exe</EM>? If so, please find the responses below. If your question is more general, kindly let me know.</P> <P>&nbsp;</P> <DIV class="test-id__field-label-container slds-form-element__label"><STRONG><SPAN class="test-id__field-label">Summary:</SPAN></STRONG></DIV> <DIV class="slds-form-element__control"><SPAN class="test-id__field-value slds-form-element__static slds-grow word-break-ie11 is-read-only">Local Analysis Module is generating False Positive (FP) issues/alerts on Windows endpoints for the Microsoft binary StoreDesktopExtension.exe. The verdict has been validated by the research team and updated in Wildfire.</SPAN></DIV> <DIV class="slds-form-element__control">&nbsp;</DIV> <DIV class="slds-form-element__control"> <DIV class="test-id__field-label-container slds-form-element__label"><STRONG><SPAN class="test-id__field-label">Symptom:</SPAN></STRONG></DIV> <DIV class="slds-form-element__icon"><SPAN>Customers have reported multiple alerts related to the unsigned Microsoft binary that has been distributed at least since January 2026.&nbsp;</SPAN></DIV> <DIV class="slds-form-element__control"> <DIV class="outputRichText"> <P>Indicators:</P> <UL> <LI>StoreDesktopExtension.exe</LI> <LI>SHA256 - ADEE0EC3096B4778F6A5951647371F3FF67B8FA0D96C37FB795BCFCFE0E1154E.</LI> </UL> <DIV class="test-id__field-label-container slds-form-element__label"><STRONG><SPAN class="test-id__field-label">Cause:</SPAN></STRONG></DIV> <DIV class="slds-form-element__icon"><SPAN>The root cause of the recurring False Positive (FP) is the detection by the Local Analysis module after it is unable to verify the WildFire verdict.</SPAN></DIV> <DIV class="slds-form-element__control"> <DIV class="outputRichText"> <P>The main issue to investigate is why the endpoint is not reaching the WildFire cloud.&nbsp;</P> <P>The following reasons have been observed so far due to the customer environment:</P> <UL> <LI>Access from the endpoint to the WildFire cloud is blocked in the customer firewall</LI> <LI>Deep packet inspection (DPI) is opening the SSL connection, forcing the agent to drop the connection to WildFire</LI> <LI>A combination of DPI plus Certificate Enforcement setting enabled in the Agent Settings policy</LI> </UL> <DIV class="test-id__field-label-container slds-form-element__label"><STRONG><SPAN class="test-id__field-label">Resolution</SPAN></STRONG></DIV> <DIV class="slds-form-element__icon"><SPAN>There are currently two approaches to resolve this issue.&nbsp;</SPAN></DIV> <DIV class="slds-form-element__icon">&nbsp;</DIV> <DIV class="slds-form-element__control"> <DIV class="outputRichText"> <P>-One is temporary, and will work for this specific file as long as the hash doesn't change for any reason.&nbsp;</P> <P>-The permanent fix is to ensure the XDR Agent can reach the WildFire cloud in order to obtain the latest verdicts.</P> <P>&nbsp;</P> <P>Both require an agent check-in as a final step to refresh the local databases.&nbsp;</P> <P>The temporary workaround for this specific hash is to add it to the Allow List:</P> <OL> <LI>Open the XSIAM Tenant UI</LI> <LI>Navigate to Investigation &amp; Response → Action Center</LI> <LI>Press the +New Action button</LI> <LI>Select the<SPAN>&nbsp;</SPAN><EM>Add to allow list</EM><SPAN>&nbsp;</SPAN>action in the list.</LI> <LI>Add the Hash<SPAN>&nbsp;</SPAN><EM>ADEE0EC3096B4778F6A5951647371F3FF67B8FA0D96C37FB795BCFCFE0E1154</EM>&nbsp;</LI> <LI>Add a comment that will help identify this change</LI> <LI>Follow through the next pages to apply the workaround</LI> </OL> <P>-------------------------------------------------------</P> <P>For a permanent fix, the root cause of the XDR Agent not reaching WildFire must be investigated and corrected.</P> <OL> <LI>Ensure the endpoints are allowed to reach the resources published in<SPAN>&nbsp;</SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Enable-access-to-required-PANW-resources" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Enable-access-to-required-PANW-resources</A></LI> <LI>Specifically, ensure the following FQDN can be reached on port TCP/443:<SPAN>&nbsp;</SPAN><STRONG><CODE>cc-<EM>&lt;xsiam-tenant&gt;</EM>.traps.paloaltonetworks.com</CODE></STRONG><SPAN>&nbsp;</SPAN>&nbsp;</LI> <LI>Review the Tech Support File, specifically the traps.d log and look for issues with the verdict FQDN from step 2.<BR /><BR /><BR /> <P>If you feel this has answered your query, please let us know by clicking like and on&nbsp;<STRONG>"mark this as a Solution".</STRONG></P> <P>&nbsp;</P> <P>Happy New year!!</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> </LI> </OL> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> </DIV> Wed, 28 Jan 2026 14:31:04 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/local-analysis-malware-and-wildfire-malware-alerts/m-p/1246865#M9061 susekar 2026-01-28T14:31:04Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/local-analysis-malware-and-wildfire-malware-alerts/m-p/1246871#M9062 <P>Thanks Susekar but it is not in regard to that file. I have seen a lot of the local analysis malware alerts pop up for a bunch of different executables and DLLs but all of them have had benign wildfire scores.&nbsp;</P> Wed, 28 Jan 2026 15:24:22 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/local-analysis-malware-and-wildfire-malware-alerts/m-p/1246871#M9062 clairamore 2026-01-28T15:24:22Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/local-analysis-malware-and-wildfire-malware-alerts/m-p/1251874#M9242 <P>What&nbsp;susekar avoided to respond to is why <SPAN>Local Analysis Module is suddenly flagging these executables on its own when WildFire is out of reach and why hasn't Palo Alto adjusted its machine learning to tackle this issue.&nbsp;</SPAN></P> Wed, 08 Apr 2026 14:58:10 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/local-analysis-malware-and-wildfire-malware-alerts/m-p/1251874#M9242 rufat87 2026-04-08T14:58:10Z